Estimated reading time 3 minutes 3 Min

Optus hacker’s $1.5 million ransom backflip as FBI called in over data breach

As the group behind the Optus data breach withdraws its ransom demand, an international effort is being launched to address the consequences.

September 28, 2022
By Paul Osborne
28 September 2022

No effort is being spared in looking into the Optus customer record breach, with the FBI joining the Australian Federal Police in probing the alarming incident.

Attorney-General Mark Dreyfus revealed the international cooperation as the group behind the breach scrapped its ransom demand and claimed to have deleted the 11 million customers’ records it scraped from the telco’s website.

The attempt to force Optus to pay $US1 million ($A1.54 million) by Friday was dropped hours after the group released a batch of 10,000 Australian customers’ sensitive details on a data breach forum on the clear web.

“Too many eyes. We will not sale (sic) data to anyone. We cant if we even want to: personally deleted data from drive (Only copy),” the group said on Tuesday.

They said they would have alerted Optus to its vulnerability if the telco had a secure method to contact or a bug bounty.

The batch released on Tuesday was still online as of 1.30pm Sydney time.

The illegally obtained information includes passport, Medicare and driver’s licence numbers, dates of birth, home addresses and information about whether a person is renting or living with parents.

Several state governments have struck agreements with Optus to protect customers whose driver’s licences were compromised.

In Victoria and NSW, people can get replacement cards and Optus will cover the costs.

Affected customers in Queensland and South Australia can organise replacement licenses free of charge, while the ACT and other jurisdictions are still working through the issue.

The hackers said they would have alerted Optus to its vulnerability if the telco had a secure method to contact or a bug bounty.

Mr Dreyfus told parliament a whole-of-government response had been launched, with the AFP not only working with government and industry but also the FBI.

The attorney-general also expressed concern Optus did not report the exposure of Medicare numbers in the breach.

Opposition defence spokesman Andrew Hastie described the government’s response to the hack as “lacklustre and slow”.

GLADYS BEREJIKLIAN DIGITAL LICENCE Governments will make it easy for Optus customers hurt by a data breach to get a new licence number.Joel Carrett/AAP PHOTOS
Governments will make it easy for Optus customers hurt by a data breach to get a new licence number.

The opposition is calling for the government to waive fees and expedite the processing of new passports for Optus customers whose passport numbers had been compromised. 

“Victims of the Optus cyber hack should not have to wait or pay significant amounts of fees to secure their personal information, and obtain a new passport,” shadow foreign affairs spokesman Simon Birmingham and shadow cyber security spokesman James Patterson said in a statement..

They said the Department of Foreign Affairs was advising on its website that “if you choose to replace your passport you’ll have to pay” as the department was not responsible for the data breach. 

Optus says it has sent email or SMS messages to customers whose details were compromised and apologised for the concern it has caused.

But it insists payment details and account passwords were not compromised as a result of the attack.

The privacy commissioner has urged Optus customers to be vigilant and not click on any links in text messages.

More in Top Stories